Re: [PATCH v2 1/7] kdb: Fix buffer overflow during tab-complete

From: Doug Anderson
Date: Mon Apr 22 2024 - 19:52:16 EST


Hi,

On Mon, Apr 22, 2024 at 9:37 AM Daniel Thompson
<daniel.thompson@xxxxxxxxxx> wrote:
>
> Currently, when the user attempts symbol completion with the Tab key, kdb
> will use strncpy() to insert the completed symbol into the command buffer.
> Unfortunately it passes the size of the source buffer rather than the
> destination to strncpy() with predictably horrible results. Most obviously
> if the command buffer is already full but cp, the cursor position, is in
> the middle of the buffer, then we will write past the end of the supplied
> buffer.
>
> Fix this by replacing the dubious strncpy() calls with memmove()/memcpy()
> calls plus explicit boundary checks to make sure we have enough space
> before we start moving characters around.
>
> Reported-by: Justin Stitt <justinstitt@xxxxxxxxxx>
> Closes: https://lore.kernel.org/all/CAFhGd8qESuuifuHsNjFPR-Va3P80bxrw+LqvC8deA8GziUJLpw@xxxxxxxxxxxxxx/
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Daniel Thompson <daniel.thompson@xxxxxxxxxx>
> ---
> kernel/debug/kdb/kdb_io.c | 21 +++++++++++++--------
> 1 file changed, 13 insertions(+), 8 deletions(-)

Boy, this function (and especially the tab handling) is hard to read.
I spent a bit of time trying to grok it and, as far as I can tell,
your patch makes things better and I don't see any bugs.

Reviewed-by: Douglas Anderson <dianders@xxxxxxxxxxxx>